How Acquisitions can Bring IT Security Risks

When a hospital buys another hospital or physician practice, or a software vendor buys another vendor, how much thought about securing protected health information goes into the consolidation process before that process is complete?

Often, not enough, says Munzoor Shaikh, a senior manager at West Monroe Partners, a Chicago-based business and technology consulting firm. As part of its services, West Monroe examines the information infrastructure maturity and security, and conducts HIPAA/HITECH assessments for the organization being acquired. But there often are issues that the company being bought hasn’t tackled--and that the company buying it needs to know.

Shaikh and colleagues have found instances where visitors are being signed into a facility without first receiving a badge or card access, or a visitor should have an escort but one is not required. When Shaikh enters these facilities, he often is not asked to sign in. “I’d like to make the distinction that we do not break protocol, but we notice that protocol is often not required of us but rather insisted by us. That’s how we know we could have gotten away with breaking protocol without actual breaking it.”

To continue reading this article as it appeared on Health Data Management, please click here.